While the move represents the first time a major U.S tech company has admitted it can’t protect user data inside U.S. borders, the question of whether it will allow Microsoft to skirt the U.S. government’s ability to obtain user data is still very much in the air.

“In terms of the Electronic Communications Privacy Act (ECPA), whether giving the data over to another company would avoid whatever legal obligations they’re under here is a very fact-specific question,” American Civil Liberties Union staff attorney Alex Abdo told InsideSources. “I’m sure that the federal government would argue that so long as Microsoft has effective control over the data, they could still be subpoenaed for it or they could still be ordered or compelled to turn it over.”

Microsoft has been fighting such a battle with the Justice Department since last year, when the government ordered the Silicon Valley giant to turn over user emails stored in a Microsoft data center in Dublin, Ireland as part of an FBI drug trafficking investigation.

Under ECPA — a law passed under the Reagan Administration in 1986 — the government can subpoena U.S. companies’ business records after they’re 180-days old. In recent years, the definition of eligible business records has expanded to include Americans’ emails after they reach the six-month threshold.

In an effort to protect users’ private data in the wake of mass surveillance program disclosures by NSA whistleblower Edward Snowden in 2013, Microsoft, along with the ACLU and others, spent the last year fighting the order and lobbying for ECPA reform, arguing the DOJ has no authority to compel the Windows maker to turn over data stored on another country’s sovereign soil, and that it must go though the foreign government in question.

The government argues that as a company based in the U.S., Microsoft is obligated to adhere to the law, regardless of the physical location of the server itself.

According to the company’s announcement two weeks ago, it will build two new data storage facilities in Magdeburg and Frankfurt am Main, Germany.

“[A]ccess to customer data stored in these new datacenters will be under the control of T-Systems, a subsidiary of Deutsche Telekom, an independent German company acting as a data trustee,” a company blog post reads. “Microsoft will not be able to access this data without the permission of customers or the data trustee, and if permission is granted by the data trustee, will only do so under its supervision.”

Abdo said that while details about the legal relationship between Microsoft and Deutsche Telekom are unknown, it’s unlikely the DOJ would be deterred.

“I don’t think we know a whole lot about the nature of the relationship between the companies,” he explained. “If Microsoft still had some sort of effective control of the data, then it might be that a U.S. court would agree with the government, but I think that’s kind of an open legal question.”

“It will in part depend on what the courts say about the current legal fight,” Abdo added. “If they say that the government cannot compel Microsoft to turn over information currently, then I don’t think Microsoft gains by moving the data to another country, at least as a matter of U.S. law.”

Though hazy on the legal front, the move is undoubtedly aimed at giving the company a public relations boost in the wake of the Snowden leaks, which revealed Microsoft to be one of the NSA’s closest collaborators in mass surveillance programs like Prism, in some cases even handing over users’ encrypted communications.

The data center announcement was followed by a “3,000-word privacy manifesto” the day after, in which Microsoft President Brad Smith touched on everything from the Foreign Intelligence Surveillance Court — which approves surveillance requests in secret for the NSA — to Snowden himself.

“Microsoft needs to go beyond standing up for the rights of businesses and governments; we need to be a voice for people,” Smith wrote, going on to say the Ireland case “is important not just to Microsoft and its products, partners and customers, but to everyone who uses the Internet.”

“This is about the future of technology,” Smith continued. “With your help, we can create a world in which people can trust the technology they use — a world in which technology continues to empower.”

“Whatever the motive, when companies protect user privacy in a meaningful way, I think that’s a win for everyone,” Abdo said. “Now companies in the U.S., to the extent they didn’t realize it before, know that privacy matter to their customers, and it’s something for which they should be competing. And companies are trying to compete, and that’s great.”

“It’s perfectly understandable that they would try to restructure their storage of data to avoid indiscriminate NSA surveillance,” Adbo said. “But in my mind, the solution to indiscriminate NSA surveillance is not stop indiscriminate NSA surveillance, not to try to restructure the Internet.”

One response to Moving Microsoft’s Data Overseas May Not Keep NSA Out

Much as Abdo would like to see the NSA curtailed, rather than technology adapted in answer to governments that don’t know when to back off, the latter is going to happen, regardless.

The reason being: We don’t have a single, global government. Being a fractured civilization made up of numerous nations, laws, customs, and edifices of authority, it is up to the software companies/designers to consider their customer’s needs and provide what their customers and the market asks for, which is technology that provides the privacy necessary to avoid unwanted snooping by government spies.

It doesn’t matter where the customer or data comes from, or is owned by, as there is always someone with an interest in it, if the data is in-fact, interesting. In the pursuit of law enforcement, this is where things will get very sticky. The US-DOJ is trying to force Microsoft’s hand in Ireland. How long before the Chinese government forces the hand of an equally powerful and data-rich American company to disclose data of interest to the PRC-Gov? Pushing continuously for things that are controversial tends to blow up in one’s face. If we don’t want other nations doing it to us, then we don’t need to be doing it to them. It’s as simple as that, really… a matter of principles of behaviour in a global environment where every angle must be taken into account.